Posted
by
CowboyNeal
on Thursday February 05, 2004 @06:49PM
from the even-the-best-of-us dept.

*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.

Who the heck is Spyder Inc? The TCP/IP stack in NT 3.1 was the STREAMS-based SpiderTCP 6 (IIRC) from Spider Systems Ltd. (I used to work for them). This in turn used some BSD code. This stack was replaced in NT 3.5, with a stack alledgedly written from scratch at Microsoft according to this [kuro5hin.org].

IPv6 is available in the base install, but you have to actually have an IPv6 address assigned that people can get to to exploit this issue. Its really a non issue for the 99% of people running OpenBSD out there, but for some, like myself, its time to upgrade.

I recall this vaguely, that was only able to crash sshd on an recent OpenBSD box, it was exploitable on other platforms (though older OpenBSDs would have been equally vulnerable).

Not only that, but for those blaming OpenSSH for making bad code that created the exploit, it was one that had been present since ossh (the free ssh implementation the OpenBSD team used to make OpenSSH).

There have actually been a number of local and remote root holes in the default install of OpenBSD during that time frame..the only sense in which their claim is true is that they don't count root holes except in the head of the CVS tree. If a release from a year ago had the hole, but the current tree does not, they don't count it.

For example, a couple of years ago there was a telnetd exploit discovered after OpenBSD had disabled telnetd by default in OpenBSD-current, but a recent prior release had shipped with telnetd enabled. That allowed them to rationalize not counting it as a remote hole. There are a number of other similar examples.

Just because they fixed it before it was reported doesn't
mean it never existed -- or that it was never quietly
exploited.
This sort of semantic game detracts from the hard
work that goes into OpenBSD.
It may be no worse than the sort of word games used to
market other software, but in an area like security where
trust is paramount it needlessly raises suspicion.

"It's Just a crash" is among the dumbest things anyone could say about a bug. Not quite as bad as "It's just a remote root exploit" but very disturbing none the less. The only thing that seems to offer any reassurance is that it requires a patched kernel or custom stack to exploit but a person bent on bringing down a system *could* do these things without too much trouble I would think. My question is for a serious cracker wouldn't taking down a system in a manner like this be much more inviting if all they

Yes, it's disturbing, but only because it happened, not because Theo's clueless. But the point of such a comment is that "It's NOT a root exploit". By contrast, with Microsoft, major exploits happen Too Frequently and crashes happen too often to bother reporting.

A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.

Without seeing Theo's complete statement you can't tell if the statement is dismissive (something I find difficult to believe) or if it is qualifying - i.e. the exploit only produces a crash.

Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is/. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.

He IS being sarcastic. If this was a Microsoft bug and they said "It's just a crash" it surely would be quoted exactly the same way, because it is a silly statement. Let's see:

*no comment* writes "If you are IPv6 on WinXP, it might be time to upgrade to Linux (just kidding). There is, however, a way to crash WinXP with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Bill Gates, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.

Okay, now that the wording has been changed to Microsoft, doesn't it suddenly look like a typical rabid-anti-Microsoft Slashdot article? You are so blinded by the belief that everything is anti-Microsoft that you cannot even see people being sarcastic about anything not Microsoft!

I know that the problem has been fixed in -current, but I run a production box that I refuse to bring up to -current. There's no patch or even a mention of this problem on the errata [openbsd.org] page.

Give it a little time. THey usually patch -current first to test it out, then backport the patches to -stable. Patching -current first saves time in the long run, in cases like this where its not really a MS level issue:) IF it was more serious, -stable would get the patch first, and then it would be ported into -current.

Do what I did last night before I even knew about this - comment IPV6 completely out of your kernel entirely for effiency's sake.

One of the reasons OpenBSD tends to be more secure is because it ships with *almost* everything off. However, there's a solid 10+ default user accounts, 3-4 default services (sshd, sendmail, inetd/portmap), and 75+ kernal/device options you should remove/recompile out upon installation (this is all assuming your only purpose is to create an x86-based router).

Yes, you'll need to muck about with/etc/mtree/special and/var/cron/tabs a bit to keep everything from whining to syslog constantly, but every unnecessary thing removed is a potential exploit avoided.

Remote openbsd crash with ip6, yet still openbsd much better than windows

Systems affected:tested on openbsd 3.4not clear about netbsdfreebsd not vulnerable

Risk: MediumDate: 4 February 2004

Legal Notice:This Advisory is Copyright (c) 2004 Georgi Guninski.You may distribute it unmodified.You may not modify it and distribute it or distribute partsof it without the author's written permission - this especially applies toso called "vulnerabilities databases" and securityfocus, microsoft, certand mitre.If you want to link to this content use the URL:http://www.guninski.com/obsdmtu.htmlAnythi ng in this document may change without notice.

Disclaimer:The information in this advisory is believed to be true thoughit may be false.The opinions expressed in this advisory and program are my own andnot of any company. The usual standard disclaimer applies,especially the fact that Georgi Guninski is not liable for any damagescaused by direct or indirect use of the information or functionalityprovided by this advisory or program. Georgi Guninski bears noresponsibility for content or misuse of this advisory or program orany derivatives thereof.

Description:It is possible to remotely crash openbsd 3.4 if the host receives icmpv6and there is a listening tcp port.quoting de raadt: "it is just a crash."remote crash which screws the kernel.unknown whether this may be exploited for code execution.

Details:The problem is triggered by setting small ipv6 mtu and then doing tcpconnect.How to reproduce:Patch linux kernel 2.4.24 net/ipv6/icmp.c:

Now let's see... what are the chances of finding both an OpenBSD server (an unpatched one at that) and IPv6 network in the same place? I think I'd better stick to plausible worries like lighting strikes, seatbelt failures, and choking to death on my turkey dinners.

Not log ago there was an article about not only how ipv6 isnt needed, but that since its 'new' code, it has a lot of problems that have long since been worked out of ipv4. Is this an example of that? Should we worry?

I have to ask myself that with all of the decades of experience that has gone into ipv4 development and hacking and exploiting, are these fears justified? Have all the glitches in ipv4 been found? and if so isnt it trivial to avoid the same early mistakes in ipv6. Does this particular problem have a ipv4 analog? Is it even a stack theory issue? Is it just an implementation oversight?

This is a problem with an IMPLEMENTATION of the IPv6 stack, so its not IPv6 thats at fault, but rather this code. There is still problems appearing today with regards to different peoples implementations of the IPv4 protocol, so I guess you cant really say theres a problem as such, since there will always be the possibility for a future implementation to fuck up badly. And suprisingly, the IPv6 implementation that MS provides for WinXP is actually a damn good one. Many people dont beleive MS can produce

ipv6 is a must-upgrade solution... it IS newer code, it does get rid of NAT(which is partially used for security) and ipv4 DOES have some hacks to make it scale higher... however, once all of china connects to the net, all of india, all of everyone, there just physically isn't enough. And NAT just ins't a clean solution when used with private addressing, it works, but it is a hack to an unavoidable fix.

ipv6 has security built into it, more addresses then particles in the universe, and eliminates the need f

As a sysadmin of a college network, "just a crash" *really* helped me.

I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.

Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.

Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.

No, the ATTACKER has to patch their Linux kernel in order to attack you. So if I knew you were running OpenBSD and using IPv6 and knew your IP address, I could patch my kernel and then try to connect to your box, causing you to crash.

What would you rather Theo say? "OMG OMG OMG!!! Its a CRASH!!! Oh dear god! Quick, run around like headless chickens!!!!! Someone better get this patched pronto!!" or "Its jsut a crash." and get on with the patching?

Seriously, its getting fixed. You think his reaction would change the pace with which the bug gets fixed?

Many operating systems let you write raw Ethernet packets to the Ethernet. Most operating systems let you write raw IP packets to the IP subsystem, which then routes them and sends them to Ethernet or whatever, though sometimes "you" have to be root or maybe another privileged user. A much smaller number of operating systems let you write raw IPv6 packets to the IPv6 subsystem.

So maybe you need to patch a Linux OS to get some help sending broken ICMPv6 packets, or maybe you just need to do creative writ

It's not as there hasn't been an Outlook (Express) version for Solaris, you know? I still sometimes use IE 5.0 on my Sun Ultra5, mostly for quick testing.

(On the other hand, as everybody knows, IE is an integral part of windows and could never work on Solaris, HP-UX or Mac OS, just as it would be impossible to create a Windows version without IE, like WinXP-PE)

What crackpipe have you been using? It must greatly enhance the smoking experience.
The funding was not pulled "pulled moments before it was to be paid," the funds were already greatly used. There was about three months left before the funding from POSSE was ended.
Theo does not seem like an ass to me, he does instead seem like someone that dismisses stupid shit that random people say because he has better things to do.

(Moderators: The BSD ports system has slightly less than nothing to do with TCP/IP ports being open, closed or missing on firewall or other machines. It's just a homonym (no, it has absolutely nothing to do with gays [geometry.net]).)

The good thing about ports is that, due to their alcohol and tannin content, you *CAN* leave them open much longer than more typical wines. I have a nice port (Fonseca) sitting open on my bar at home. I take a couple of nips from it every evening, and then replace the glass stopper on the carafe. It is a wonderful way to end the work-day. Go grab yourself a 10-year Tawny and you'll see what I mean.

You do need to be careful with how many ports you have open. I find after a couple of ports my work product increases. After a few more, it tends to decrease, exponentially going downhill with each subsequent port. You need to be especially careful with a root prompt and several open ports late at night.

While possibly not a direct security threat, remote crash exploits are obviously highly disruptive and in today's networked economy, highly costly in terms of lost productivity.

While a crash exploit doesn't guarantee it, it usually means that a root exploit is possible.

Think about it: You got the machine to execute code it shouldn't have executed (or overwrite something 'way important it shouldn't have overwritten, or with a value it shouldn't have written.) This usually means you changed the program c

I dunno, man, winnuke was a big problem on our campus in 98(?). It's so much easier to crawl through a block of IPs sending a few packets than to DOS the whole netblock. You can even do it from a modem in a few minutes.

OK, that just piqued my curiosity. I am very sorry it did, but it did. People, do NOT follow that link in the grandparent post. Just take my word for it. Don't. No amount of curiosity is worth seeing that.

OpenBSD was branched from NetBSD well before IPv6 support came out. The kernels have diverged quite a lot since then. There is no enhanced risk for NetBSD. I doubt if other systems are vulnerable, just because of the fact that knowledge about security and DOS holes are shared pretty freely between the groups, and we haven't heard about FreeBSD or NetBSD.

I'd find the OpenBSD crew's haughty "more secure than thou" attitude a lot more annoying if it weren't for the fact that their track record actually justifies it. The fact that you can still count the number of remote exploits using a two-bit register is pretty impressive.

It should be amusing and rare to hear about these holes in ANY OS. OpenBSD should get more press than Windows for holes, after all openBSD has so few that you can safely assume the people using openBSD don't bother to pay attention, while those using Windows have to pay attention. Therefore we need extra effort to get the attention of OpenBSD users on the rare times it is needed.

Saddly it doesn't work that way. Windows users despite having lots (by comparition) of holes never patch, while openBSD seems

Tha analogy would be the way the press treat road and rail accidents. In the UK (BTW no passengers at all were killed in crashes last year) it is headline news for weeks, and then again all through the inevitable pubilc enquiry if 4 people are killed in a train crash, yet IIRC on the same day, or maybe the bnext day as 4 were killed in the crash I am thinking of, at least 10 died on the roads, 6 in one vehicle. That one got a small paragraph.... The average is 10 a day in the UK on the roads, about 2 or 3 p

But they are "securitier than thou." You're pretty much asking them to change their focus, do you think that security is a bad goal?

Maybe you need to get out of this sports mentality and stop feeling inadequate when another "team" is doing better in one area than your favorite?

It's fine to have security as your focus. In fact, that's great. What turns me off is the attitude that OpenBSD is axiomatically more secure. The response from TdR shouldn't be "it's just a crash." It should be, "Man, we screwed up